Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Wed, 10 Jul 2013, Simo Sorce wrote: On Wed, 2013-07-10 at 19:55 +0300, Alexander Bokovoy wrote: The patch looks good to me so I'm giving my +1. I would appreciate other review too before a full ack, though. I've nacked the approach, although the results are as expected. Alexander will send a simplified patch that avoids the extra search and use of managedby which is not ok. New patch attached. After discussion with Simo on IRC, I decided to use krb5_parse_name() to properly parse krbPrincipalName attribute for the service and veto it against pre-defined set of services we support generating MS-PAC for on the IPA master. The list currently includes only cifs/ipa.master@REALM and HTTP/ipa.master@REALM as host/ipa.master@REALM is handled by the is_host case. LGTM. Committed to master. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Tue, 2013-07-09 at 22:39 +0200, Jakub Hrozek wrote: On Tue, Jul 09, 2013 at 02:12:33PM +0300, Alexander Bokovoy wrote: On Tue, 09 Jul 2013, Jakub Hrozek wrote: On Wed, Jul 03, 2013 at 02:53:55PM +0200, Sumit Bose wrote: On Wed, Jul 03, 2013 at 01:00:43PM +0300, Alexander Bokovoy wrote: On Mon, 01 Jul 2013, Sumit Bose wrote: Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only to allow SSSD running on a FreeIPA server to access the AD LDAP server. In the ticket a more generic solution is described but since there is no other use case so far I think this patch is sufficient for the time being. bye, Sumit From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 1 Jul 2013 13:47:22 +0200 Subject: [PATCH] Add PAC to master host TGTs For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server of a trusted domain with the credentials of a FreeIPA server host a PAC must be added to the TGT for the host. s/SALS/SASL/ Thank you for the review, I've fixed the typo and added the numerical values for the well-known RIDs to the commit message. To determine if a host is a FreeIPA server or not it is checked if there is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately this requires an additional LDAP lookup. But since TGS-REQs for hosts should be rare I think it is acceptable for the time being. I think it is better to change this lookup to cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX, it would explicitly limit us to the IPA masters running AD trusts. I'm not sure if this restriction is needed. With SSSD's ipa_server_mode any IPA master (which networkwise can access an AD server of the trusted domain) can read AD user and group data, no running smbd or winbind is required. So it would be possible to run the extdom plugin or the compat plugin for the legacy clients on any IPA server which would allow a much better load balancing. If there are other concerns I'm happy to add the restriction. bye, Sumit I don't think I know the code good enough to provide a full review, but the patch enables the lookups from an IPA master without any additional hacks. So ack on functionality at least. Ok. I've extended this functionality to generate MS-PAC also for services running on IPA masters. Patch attached. This is needed to finally get rid of access to trust auth material for IPA python code. HTTP/fqdn@REALM will now be able to authenticate against AD LDAP server and look up needed information directly, without elevating privileges to trust admins. This should also help for AD range discovery Tomas is working on. Hi, The patch looks good to me so I'm giving my +1. I would appreciate other review too before a full ack, though. I've nacked the approach, although the results are as expected. Alexander will send a simplified patch that avoids the extra search and use of managedby which is not ok. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Wed, 10 Jul 2013, Simo Sorce wrote: On Tue, 2013-07-09 at 22:39 +0200, Jakub Hrozek wrote: On Tue, Jul 09, 2013 at 02:12:33PM +0300, Alexander Bokovoy wrote: On Tue, 09 Jul 2013, Jakub Hrozek wrote: On Wed, Jul 03, 2013 at 02:53:55PM +0200, Sumit Bose wrote: On Wed, Jul 03, 2013 at 01:00:43PM +0300, Alexander Bokovoy wrote: On Mon, 01 Jul 2013, Sumit Bose wrote: Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only to allow SSSD running on a FreeIPA server to access the AD LDAP server. In the ticket a more generic solution is described but since there is no other use case so far I think this patch is sufficient for the time being. bye, Sumit From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 1 Jul 2013 13:47:22 +0200 Subject: [PATCH] Add PAC to master host TGTs For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server of a trusted domain with the credentials of a FreeIPA server host a PAC must be added to the TGT for the host. s/SALS/SASL/ Thank you for the review, I've fixed the typo and added the numerical values for the well-known RIDs to the commit message. To determine if a host is a FreeIPA server or not it is checked if there is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately this requires an additional LDAP lookup. But since TGS-REQs for hosts should be rare I think it is acceptable for the time being. I think it is better to change this lookup to cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX, it would explicitly limit us to the IPA masters running AD trusts. I'm not sure if this restriction is needed. With SSSD's ipa_server_mode any IPA master (which networkwise can access an AD server of the trusted domain) can read AD user and group data, no running smbd or winbind is required. So it would be possible to run the extdom plugin or the compat plugin for the legacy clients on any IPA server which would allow a much better load balancing. If there are other concerns I'm happy to add the restriction. bye, Sumit I don't think I know the code good enough to provide a full review, but the patch enables the lookups from an IPA master without any additional hacks. So ack on functionality at least. Ok. I've extended this functionality to generate MS-PAC also for services running on IPA masters. Patch attached. This is needed to finally get rid of access to trust auth material for IPA python code. HTTP/fqdn@REALM will now be able to authenticate against AD LDAP server and look up needed information directly, without elevating privileges to trust admins. This should also help for AD range discovery Tomas is working on. Hi, The patch looks good to me so I'm giving my +1. I would appreciate other review too before a full ack, though. I've nacked the approach, although the results are as expected. Alexander will send a simplified patch that avoids the extra search and use of managedby which is not ok. New patch attached. -- / Alexander Bokovoy From e150e2abd67538db1b53d5b5dd096bd15e2ffe58 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 9 Jul 2013 14:05:02 +0300 Subject: [PATCH 15/15] Generate syntethic MS-PAC for all services running on IPA master MS-PAC is required to be present in TGT if one wants to connect to AD services using this TGT. Users get MS-PAC by default, SSSD in ipa_server_mode uses host/fqdn@REALM principal to talk to AD LDAP. This patch enables other services running on IPA master to connect to AD services. This is required for IPA python code doing discovery of remote AD domain settings shortly after IPA-AD trust has been established. --- daemons/ipa-kdb/ipa_kdb_mspac.c | 56 +++-- 1 file changed, 49 insertions(+), 7 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 92dc8dd..4944bb8 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -392,13 +392,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, struct dom_sid sid; gid_t prigid = -1; time_t timeres; -char *strres; +char *strres, *strhost, *strat; int intres; int ret; char **objectclasses = NULL; size_t c; bool is_host = false; bool is_user = false; +bool is_service = false; ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, objectClass, objectclasses); @@ -407,6 +408,9 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, if (strcasecmp(objectclasses[c], ipaHost) == 0) { is_host = true; } +if (strcasecmp(objectclasses[c], ipaService) == 0) { +is_service = true; +
Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Wed, 10 Jul 2013, Alexander Bokovoy wrote: On Wed, 10 Jul 2013, Simo Sorce wrote: On Tue, 2013-07-09 at 22:39 +0200, Jakub Hrozek wrote: On Tue, Jul 09, 2013 at 02:12:33PM +0300, Alexander Bokovoy wrote: On Tue, 09 Jul 2013, Jakub Hrozek wrote: On Wed, Jul 03, 2013 at 02:53:55PM +0200, Sumit Bose wrote: On Wed, Jul 03, 2013 at 01:00:43PM +0300, Alexander Bokovoy wrote: On Mon, 01 Jul 2013, Sumit Bose wrote: Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only to allow SSSD running on a FreeIPA server to access the AD LDAP server. In the ticket a more generic solution is described but since there is no other use case so far I think this patch is sufficient for the time being. bye, Sumit From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 1 Jul 2013 13:47:22 +0200 Subject: [PATCH] Add PAC to master host TGTs For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server of a trusted domain with the credentials of a FreeIPA server host a PAC must be added to the TGT for the host. s/SALS/SASL/ Thank you for the review, I've fixed the typo and added the numerical values for the well-known RIDs to the commit message. To determine if a host is a FreeIPA server or not it is checked if there is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately this requires an additional LDAP lookup. But since TGS-REQs for hosts should be rare I think it is acceptable for the time being. I think it is better to change this lookup to cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX, it would explicitly limit us to the IPA masters running AD trusts. I'm not sure if this restriction is needed. With SSSD's ipa_server_mode any IPA master (which networkwise can access an AD server of the trusted domain) can read AD user and group data, no running smbd or winbind is required. So it would be possible to run the extdom plugin or the compat plugin for the legacy clients on any IPA server which would allow a much better load balancing. If there are other concerns I'm happy to add the restriction. bye, Sumit I don't think I know the code good enough to provide a full review, but the patch enables the lookups from an IPA master without any additional hacks. So ack on functionality at least. Ok. I've extended this functionality to generate MS-PAC also for services running on IPA masters. Patch attached. This is needed to finally get rid of access to trust auth material for IPA python code. HTTP/fqdn@REALM will now be able to authenticate against AD LDAP server and look up needed information directly, without elevating privileges to trust admins. This should also help for AD range discovery Tomas is working on. Hi, The patch looks good to me so I'm giving my +1. I would appreciate other review too before a full ack, though. I've nacked the approach, although the results are as expected. Alexander will send a simplified patch that avoids the extra search and use of managedby which is not ok. New patch attached. After discussion with Simo on IRC, I decided to use krb5_parse_name() to properly parse krbPrincipalName attribute for the service and veto it against pre-defined set of services we support generating MS-PAC for on the IPA master. The list currently includes only cifs/ipa.master@REALM and HTTP/ipa.master@REALM as host/ipa.master@REALM is handled by the is_host case. I verified it by initializing ccache with /etc/httpd/conf/ipa.keytab and accessing AD over LDAP, it worked well (same result for host/): - # kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipa.example@example.com # ldapsearch -Y GSSAPI -h altai.ad.lan -b dc=ad,dc=lan '(cn=IPAX$)' SASL/GSSAPI authentication started SASL username: HTTP/ipa.example@example.com SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base dc=ad,dc=lan with scope subtree # filter: (cn=IPAX$) # requesting: ALL # # IPAX$, Users, ad.lan dn: CN=IPAX$,CN=Users,DC=ad,DC=lan objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IPAX$ distinguishedName: CN=IPAX$,CN=Users,DC=ad,DC=lan instanceType: 4 whenCreated: 20130708091622.0Z whenChanged: 20130710123914.0Z uSNCreated: 98603 uSNChanged: 102524 name: IPAX$ objectGUID:: FxL42tGLnEOfKkuMw6sVVw== userAccountControl: 2080 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 130179335549552172 pwdLastSet: 130177485824178582 primaryGroupID: 513 objectSid:: AQUAAAUVzl3L0KYmgQdG8ZPbeQQAAA== accountExpires: 9223372036854775807 logonCount: 1 sAMAccountName: IPAX$ sAMAccountType: 805306370 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=lan isCriticalSystemObject: TRUE
Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Wed, 2013-07-10 at 19:55 +0300, Alexander Bokovoy wrote: The patch looks good to me so I'm giving my +1. I would appreciate other review too before a full ack, though. I've nacked the approach, although the results are as expected. Alexander will send a simplified patch that avoids the extra search and use of managedby which is not ok. New patch attached. After discussion with Simo on IRC, I decided to use krb5_parse_name() to properly parse krbPrincipalName attribute for the service and veto it against pre-defined set of services we support generating MS-PAC for on the IPA master. The list currently includes only cifs/ipa.master@REALM and HTTP/ipa.master@REALM as host/ipa.master@REALM is handled by the is_host case. LGTM. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Wed, Jul 03, 2013 at 02:53:55PM +0200, Sumit Bose wrote: On Wed, Jul 03, 2013 at 01:00:43PM +0300, Alexander Bokovoy wrote: On Mon, 01 Jul 2013, Sumit Bose wrote: Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only to allow SSSD running on a FreeIPA server to access the AD LDAP server. In the ticket a more generic solution is described but since there is no other use case so far I think this patch is sufficient for the time being. bye, Sumit From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 1 Jul 2013 13:47:22 +0200 Subject: [PATCH] Add PAC to master host TGTs For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server of a trusted domain with the credentials of a FreeIPA server host a PAC must be added to the TGT for the host. s/SALS/SASL/ Thank you for the review, I've fixed the typo and added the numerical values for the well-known RIDs to the commit message. To determine if a host is a FreeIPA server or not it is checked if there is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately this requires an additional LDAP lookup. But since TGS-REQs for hosts should be rare I think it is acceptable for the time being. I think it is better to change this lookup to cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX, it would explicitly limit us to the IPA masters running AD trusts. I'm not sure if this restriction is needed. With SSSD's ipa_server_mode any IPA master (which networkwise can access an AD server of the trusted domain) can read AD user and group data, no running smbd or winbind is required. So it would be possible to run the extdom plugin or the compat plugin for the legacy clients on any IPA server which would allow a much better load balancing. If there are other concerns I'm happy to add the restriction. bye, Sumit I don't think I know the code good enough to provide a full review, but the patch enables the lookups from an IPA master without any additional hacks. So ack on functionality at least. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Tue, Jul 09, 2013 at 02:12:33PM +0300, Alexander Bokovoy wrote: On Tue, 09 Jul 2013, Jakub Hrozek wrote: On Wed, Jul 03, 2013 at 02:53:55PM +0200, Sumit Bose wrote: On Wed, Jul 03, 2013 at 01:00:43PM +0300, Alexander Bokovoy wrote: On Mon, 01 Jul 2013, Sumit Bose wrote: Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only to allow SSSD running on a FreeIPA server to access the AD LDAP server. In the ticket a more generic solution is described but since there is no other use case so far I think this patch is sufficient for the time being. bye, Sumit From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 1 Jul 2013 13:47:22 +0200 Subject: [PATCH] Add PAC to master host TGTs For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server of a trusted domain with the credentials of a FreeIPA server host a PAC must be added to the TGT for the host. s/SALS/SASL/ Thank you for the review, I've fixed the typo and added the numerical values for the well-known RIDs to the commit message. To determine if a host is a FreeIPA server or not it is checked if there is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately this requires an additional LDAP lookup. But since TGS-REQs for hosts should be rare I think it is acceptable for the time being. I think it is better to change this lookup to cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX, it would explicitly limit us to the IPA masters running AD trusts. I'm not sure if this restriction is needed. With SSSD's ipa_server_mode any IPA master (which networkwise can access an AD server of the trusted domain) can read AD user and group data, no running smbd or winbind is required. So it would be possible to run the extdom plugin or the compat plugin for the legacy clients on any IPA server which would allow a much better load balancing. If there are other concerns I'm happy to add the restriction. bye, Sumit I don't think I know the code good enough to provide a full review, but the patch enables the lookups from an IPA master without any additional hacks. So ack on functionality at least. Ok. I've extended this functionality to generate MS-PAC also for services running on IPA masters. Patch attached. This is needed to finally get rid of access to trust auth material for IPA python code. HTTP/fqdn@REALM will now be able to authenticate against AD LDAP server and look up needed information directly, without elevating privileges to trust admins. This should also help for AD range discovery Tomas is working on. Hi, The patch looks good to me so I'm giving my +1. I would appreciate other review too before a full ack, though. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Mon, 01 Jul 2013, Sumit Bose wrote: Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only to allow SSSD running on a FreeIPA server to access the AD LDAP server. In the ticket a more generic solution is described but since there is no other use case so far I think this patch is sufficient for the time being. bye, Sumit From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 1 Jul 2013 13:47:22 +0200 Subject: [PATCH] Add PAC to master host TGTs For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server of a trusted domain with the credentials of a FreeIPA server host a PAC must be added to the TGT for the host. s/SALS/SASL/ To determine if a host is a FreeIPA server or not it is checked if there is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately this requires an additional LDAP lookup. But since TGS-REQs for hosts should be rare I think it is acceptable for the time being. I think it is better to change this lookup to cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX, it would explicitly limit us to the IPA masters running AD trusts. +static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn) +{ +int ret; +char *master_host_base = NULL; +LDAPMessage *result = NULL; +krb5_error_code err; + +ret = asprintf(master_host_base, cn=%s,cn=masters,cn=ipa,cn=etc,%s, + fqdn, ipactx-base); here: cn=ADTRUST,cn=%s,cn=masters,cn=ipa,cn=etc,%s +if (is_host) { +prigid = 515; /* Well known RID for domain computers group */ Could you please mention this fact in the commit message as well? +if (is_host) { +/* Well know RID of domain controllers group */ +info3-base.rid = 516; Same here. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Wed, Jul 03, 2013 at 01:00:43PM +0300, Alexander Bokovoy wrote: On Mon, 01 Jul 2013, Sumit Bose wrote: Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only to allow SSSD running on a FreeIPA server to access the AD LDAP server. In the ticket a more generic solution is described but since there is no other use case so far I think this patch is sufficient for the time being. bye, Sumit From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 1 Jul 2013 13:47:22 +0200 Subject: [PATCH] Add PAC to master host TGTs For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server of a trusted domain with the credentials of a FreeIPA server host a PAC must be added to the TGT for the host. s/SALS/SASL/ Thank you for the review, I've fixed the typo and added the numerical values for the well-known RIDs to the commit message. To determine if a host is a FreeIPA server or not it is checked if there is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately this requires an additional LDAP lookup. But since TGS-REQs for hosts should be rare I think it is acceptable for the time being. I think it is better to change this lookup to cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX, it would explicitly limit us to the IPA masters running AD trusts. I'm not sure if this restriction is needed. With SSSD's ipa_server_mode any IPA master (which networkwise can access an AD server of the trusted domain) can read AD user and group data, no running smbd or winbind is required. So it would be possible to run the extdom plugin or the compat plugin for the legacy clients on any IPA server which would allow a much better load balancing. If there are other concerns I'm happy to add the restriction. bye, Sumit +static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn) +{ +int ret; +char *master_host_base = NULL; +LDAPMessage *result = NULL; +krb5_error_code err; + +ret = asprintf(master_host_base, cn=%s,cn=masters,cn=ipa,cn=etc,%s, + fqdn, ipactx-base); here: cn=ADTRUST,cn=%s,cn=masters,cn=ipa,cn=etc,%s +if (is_host) { +prigid = 515; /* Well known RID for domain computers group */ Could you please mention this fact in the commit message as well? +if (is_host) { +/* Well know RID of domain controllers group */ +info3-base.rid = 516; Same here. -- / Alexander Bokovoy From 76b1be5d8331c92e5837e6e0f7f19fab2876be9b Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 1 Jul 2013 13:47:22 +0200 Subject: [PATCH] Add PAC to master host TGTs For a proper SASL bind with GSSAPI against an AD LDAP server a PAC is needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server of a trusted domain with the credentials of a FreeIPA server host a PAC must be added to the TGT for the host. We use the well know RID of the Domain Computers group (515) for the primary gid element of the PAC, this is the same as AD uses for host tickets. The rid element of the PAC is set to the well know RID of the Domain Controllers group (516). This is working for the SSSD use case but might be improved later for more general use cases. To determine if a host is a FreeIPA server or not it is checked if there is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately this requires an additional LDAP lookup. But since TGS-REQs for hosts should be rare I think it is acceptable for the time being. Fixes https://fedorahosted.org/freeipa/ticket/3651 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 154 ++-- 1 file changed, 115 insertions(+), 39 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 2662b947bd589074faa1acf6a9bb97748161cb05..92dc8dd7fa6c51d9edfc4d73cef23b3129c01192 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -58,6 +58,7 @@ static char *user_pac_attrs[] = { objectClass, uid, cn, +fqdn, gidNumber, krbPrincipalName, krbCanonicalName, @@ -358,6 +359,29 @@ static int sid_split_rid(struct dom_sid *sid, uint32_t *rid) return 0; } +static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn) +{ +int ret; +char *master_host_base = NULL; +LDAPMessage *result = NULL; +krb5_error_code err; + +ret = asprintf(master_host_base, cn=%s,cn=masters,cn=ipa,cn=etc,%s, + fqdn, ipactx-base); +if (ret == -1) { +return false; +} +err = ipadb_simple_search(ipactx, master_host_base, LDAP_SCOPE_BASE, + NULL, NULL, result); +free(master_host_base); +ldap_msgfree(result); +if (err == 0) { +return
[Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only to allow SSSD running on a FreeIPA server to access the AD LDAP server. In the ticket a more generic solution is described but since there is no other use case so far I think this patch is sufficient for the time being. bye, Sumit From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 1 Jul 2013 13:47:22 +0200 Subject: [PATCH] Add PAC to master host TGTs For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server of a trusted domain with the credentials of a FreeIPA server host a PAC must be added to the TGT for the host. We use the well know RID for the Domain Computers group for the primary gid element of the PAC, this is the same as AD uses for host tickets. The rid element of the PAC is set to the well know RID of the Domain Controllers group. This is working for the SSSD use case but might be improved later for more general use cases. To determine if a host is a FreeIPA server or not it is checked if there is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately this requires an additional LDAP lookup. But since TGS-REQs for hosts should be rare I think it is acceptable for the time being. Fixes https://fedorahosted.org/freeipa/ticket/3651 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 154 ++-- 1 file changed, 115 insertions(+), 39 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 2662b947bd589074faa1acf6a9bb97748161cb05..92dc8dd7fa6c51d9edfc4d73cef23b3129c01192 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -58,6 +58,7 @@ static char *user_pac_attrs[] = { objectClass, uid, cn, +fqdn, gidNumber, krbPrincipalName, krbCanonicalName, @@ -358,6 +359,29 @@ static int sid_split_rid(struct dom_sid *sid, uint32_t *rid) return 0; } +static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn) +{ +int ret; +char *master_host_base = NULL; +LDAPMessage *result = NULL; +krb5_error_code err; + +ret = asprintf(master_host_base, cn=%s,cn=masters,cn=ipa,cn=etc,%s, + fqdn, ipactx-base); +if (ret == -1) { +return false; +} +err = ipadb_simple_search(ipactx, master_host_base, LDAP_SCOPE_BASE, + NULL, NULL, result); +free(master_host_base); +ldap_msgfree(result); +if (err == 0) { +return true; +} + +return false; +} + static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, LDAPMessage *lentry, TALLOC_CTX *memctx, @@ -371,13 +395,65 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, char *strres; int intres; int ret; +char **objectclasses = NULL; +size_t c; +bool is_host = false; +bool is_user = false; -ret = ipadb_ldap_attr_to_int(lcontext, lentry, gidNumber, intres); -if (ret) { -/* gidNumber is mandatory */ -return ret; +ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, objectClass, + objectclasses); +if (ret == 0 objectclasses != NULL) { +for (c = 0; objectclasses[c] != NULL; c++) { +if (strcasecmp(objectclasses[c], ipaHost) == 0) { +is_host = true; +} +if (strcasecmp(objectclasses[c], ipaNTUserAttrs) == 0) { +is_user = true; +} +free(objectclasses[c]); +} +} +free(objectclasses); + +if (!is_host !is_user) { +/* We only handle users and hosts */ +return ENOENT; +} + +if (is_host) { +ret = ipadb_ldap_attr_to_str(lcontext, lentry, fqdn, strres); +if (ret) { +/* fqdn is mandatory for hosts */ +return ret; +} + +/* Currently we only add a PAC to TGTs for IPA servers to allow SSSD in + * ipa_server_mode to access the AD LDAP server */ +if (!is_master_host(ipactx, strres)) { +free(strres); +return ENOENT; +} +} else { +ret = ipadb_ldap_attr_to_str(lcontext, lentry, uid, strres); +if (ret) { +/* uid is mandatory */ +return ret; +} +} + +info3-base.account_name.string = talloc_strdup(memctx, strres); +free(strres); + +if (is_host) { +prigid = 515; /* Well known RID for domain computers group */ +} else { +ret = ipadb_ldap_attr_to_int(lcontext, lentry, gidNumber, intres); +if (ret) { +/* gidNumber is mandatory */ +return ret; +} +prigid = intres; } -prigid = intres;